The RBAC Model

Previously, data warehouse security was tightly coupled to source system security (AIS, HRMS, etc.) and was controlled by source system owners. This meant that users could work in the data warehouse only with the same security that they had in the source system. To allow for expanded analytics, we decided to de-couple security from the source systems using the RBAC security model.

RBAC stands for “Role-based access control”. In this model, each role has its own set of permissions and each user is assigned to one or more roles as appropriate. Workday operates with the RBAC model as well.

The new RBAC roles in the data warehouse will allow users to run advanced analytics and to view dashboards that aggregate data from multiple applications, even if they do not have access to the source applications. For example, someone may not have an account in Research Management System (RMS), but if they were assigned a Research role in the data warehouse, they could view the number of proposals submitted in RMS when viewing data or reports in the data warehouse.

How do we expand security for analysis while still protecting confidential data?

In order to protect confidential data, we are employing additional layers of security called domain control and regulatory control.

Domain control

When you log into Cognos, you will see only what is available for the domain you belong to. Cross-domain reporting is only possible for those with roles that grant access to more than one domain.

Regulatory control

Certain “slices” of data will be further secured with regulatory controls. Some examples of these might be FMLA, HIPAA, and student grades. Data Governance will make the final decisions as to what gets placed under regulatory control.